You are trying to take something which is inherently online (sending and verifying an SMS OTP code) and make it offline. This is possible, but it will require great thought to do it correctly, and the approach you take will depend on your requirements (ie your question does not contain enough details to decide which is the best solution).
I think the first step is for you to examine security properties that a traditional online OTP system provides, and decide which are important for you to preserve in your offline system. Once you have this list of requirements laid out, the set of viable solutions will likely become obvious.
I am not intending to provide a complete list of security properties that OTP gives -- I leave that as an exercise for the reader -- but here are some ideas to get you started:
- Uniqueness: Each SMS OTP code is unique and the client must provide the one sent to them (ie if the system currently has 1,000 active OTPs, then your offline system needs to only accept the one sent to this client and reject the other 999).
- Lifetime / expiry: SMS OTP codes typically expire after 15 minutes. You will likely want your offline system to reject codes older than 15 mins (or whatever time period is appropriate for your offline use-case).
- One-time use: As the name implies, OTPs are intended to be one-time use, ie you can only use them once. If this is a required property of your offline system, then you will have a significant engineering problem ahead of you.
Solution for "one-time" problem.
I don't know exactly your design requirements, but a solution that might satisfy the "one-time" property might look something like this:
- Before leaving WiFi, the delivery driver indicates which customer they are delivering for and the time they expect to make the delivery,
- The OTP server generates an OTP for that customer and gives the OTP code to the driver's app.
- 15 minutes / 30 minutes / 1 hour / whatever before the expected delivery time, the system sends that code to the customer via SMS. (you will likely need to make the lifetime of this code long enough to account for variance in delivery times, for example maybe 24 hours is not unreasonable here). At this point the server no longer needs to know the OTP code and could delete it from the server's DB.
- When the driver enters / scans the customer's code, their local offline app records that code as USED and will not accept it again.
- Since the OTP server generated this OTP for offline use, the server will not accept it directly, and it will not give that OTP code to any other driver's app (it will generate a new OTP if a new driver takes over that delivery). This way that OTP code will only work against the intended driver's app, and only once.